Its intended use is to share infrastructure-related secrets (such as encrypted data bag secret files, SSL private keys, passwords, etc.) among the infrastructure team.
Add this line to your Chef repository's Gemfile:
gem 'knife-briefcase', :git => 'git://github.com/3ofcoins/knife-briefcase/'
Or install it yourself:
$ gem build knife-briefcase.gemspec $ gem install knife-briefcase*.gem
knife briefcase put NAME [FILE] -- encrypts and signs named
or stdin, and saves it in the data bag with ID
knife briefcase get NAME [FILE] -- gets
NAME from the data bag,
checks signature, decrypts, and shows the contents on standard output,
or saves it to
FILE if provided.
knife briefcase list -- lists encrypted items in the data bag.
knife briefcase delete NAME [NAME [...]] -- deletes listed
from the data bag.
TODO: it may be good to refuse to delete files that the user is unable to encrypt. User is able to delete them anyway, using
knife data bag delete, but it shouldn't be allowed via
knife briefcase reload [NAME [NAME [...]]] -- downloads and decrypts
listed items, re-encrypts and re-signs them, and saves the
re-encrypted content back. If no names are provided, all the items are
re-encrypted. This should be called when briefcase holders list is
changed, to allow added user to decrypt bag - or to prevent further
access by removed user.
Git Annex support
The briefcase is a perfect storage backend for git-annex. This combination lets you pretend-store secret files in the repository, sync them over git-annex, and have the content safely encrypted on the Chef server.
To use briefcase as a git-annex special repo, configure a hook:
$ git config annex.briefcase-hook 'knife briefcase annex hook' $ git annex initremote briefcase type=hook hooktype=briefcase encryption=none
By default, annex content will be stored in the
annex data bag; you
--data-bag=NAME argument to
knife briefcase annex hook or
knife.rb to use a different
knife.rb settings are used:
briefcase_holders-- array of e-mail addresses that will be GPG recipients of the data
briefcase_signers-- e-mail address (or array of e-mail addresses) that will be used to sign encrypted content
briefcase_data_bag-- name of the data bag that will be used by default to hold encrypted content. If not provided,
briefcasedata bag will be used. The data bag name can be overriden on command line.
briefcase_annex_data_bag-- name of the data bag that will be used by default by
knife briefcase annex hook. If not provided,
annexdata bag will be used. The data bag name can be overriden on command line.
briefcase_signers `git config --get user.email`.strip briefcase_holders [ 'firstname.lastname@example.org', 'email@example.com', 'firstname.lastname@example.org', 'email@example.com', 'firstname.lastname@example.org' ]
See the CONTRIBUTING.md file